使用 RODBC 的参数化查询 [英] Parameterized queries with RODBC

问题描述

我在 R 中有一个变量，我想将其传递给数据库.我可以使用paste，就像许多人在阅读谷歌搜索结果时所建议的那样，但由于 SQL 注入漏洞，这是不安全的.我更喜欢这样的东西:

I have a variable in R that I would like to pass to a database. I could use paste like many suggest when reading Google results, but that is unsafe because of SQL injection vulnerabilities. I'd rather prefer something like this:

x <- 42
sqlQuery(db, 'SELECT Id, Name FROM People WHERE Age > ?;', bind=c(x))

是否可以在 RODBC 中使用参数化查询?如果没有，是否有支持它们的替代库?

Is it possible to use parameterized queries with RODBC? If not, is there an alternative library that supports them?

我使用的是 SQL Server、RODBC 1.3-6 和 R 3.0.0.

I'm using SQL Server, RODBC 1.3-6 and R 3.0.0.

推荐答案

Mateusz Zoltak 在 2014 年编写了 RODBCext 包(基于 Brian Ripley 和 Michael Lapsley 的工作):

Mateusz Zoltak wrote RODBCext package in 2014 (based on work by Brian Ripley and Michael Lapsley):

conn = odbcConnect('MyDataSource')

sqlPrepare(conn, "SELECT * FROM myTable WHERE column = ?")
sqlExecute(conn, 'myValue')
sqlFetchMore(conn)

来源:http://cran.r-project.org/web/packages/RODBCext/vignettes/Parameterized_SQL_queries.html

这篇关于使用 RODBC 的参数化查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！